CVE-2022-1756

The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $SERVER'REQUESTURI' before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as...

CVE-2024-10815

CVE-2024-10815 pertains to the PostLists WordPress plugin (up to 2.0.2). The issue arises because the plugin does not escape the $_SERVER['REQUEST_URI'] value before echoing it into an HTML attribute, enabling a Reflected XSS in older browsers. Affected plugin: PostLists (WordPress). Root cause: ...